When Good Passwords Go Bad

By | June 19th, 2015|Uncategorized|

Cyber SecurityLast month, password manager LastPass announced that their system had been hacked, exposing email addresses and encrypted master passwords for its users. Users were notified and prompted to change their master passwords.

Shortly after news broke of a flaw found in Apple’s Keychain software that could let malicious software steal passwords across apps on your Mac. This flaw could result in exposed passwords to iCloud accounts, notes, photos, email accounts, banking, social media – you name it.

Both of these stories exemplify just how vulnerable our login systems are. As the LastPass hack shows – even when you are trying to do the right thing and safeguard your passwords, bad things can still happen.

One thing is certain: there is no surefire way to protect yourself against password loss due to hacks and malware unless you stay off the Internet altogether. However, there are some best practices you can implement to reduce the risk of a hack or breach.

Turn on Two-Factor Authentication
Two-factor authentication is typically comprised of two out of three identifiers:

  • Something you know, like a password
  • Something you have, like a token or code messaged to your phone
  • Something you are, like a fingerprint

Turning on two-factor authentication, especially on high-value accounts such as Amazon, Gmail and banking sites is essential. This will ensure that even if your password is lost, a hacker will need the second form of authentication to access to your account.

Practice safe password habits.
Do not reuse your password across multiple sites. Develop a passcode system that helps you remember the unique passwords you develop for each digital account you own. Passwords should be long, should not include any words found in a dictionary and should vary in character type (include special characters, capitalization and punctuation as password systems allow). Be sure to change passwords every six months and use two-factor authentication whenever possible.

Monitor your identity.
Use a service to monitor for suspicious activity of your personal information on the black market. Monitoring services will identify if your personal information, like your email address or password, is being shared on the dark web.

There are many interesting technologies and methods being explored to help secure our login systems. In the meantime, adhere to the above best practices to protect your accounts from unauthorized access. Were you impacted by the LastPass breach? Let us know how you responded on our Facebook or Twitter channel.

Tips for Government Employee Data Security After The OPM Breach

By | June 8th, 2015|Breach, Uncategorized|

OPM BreachOn Thursday, June 4, the U.S. Office of Personnel Management (OPM) announced a cybersecurity incident affecting its systems and data that may have exposed the personal information of more than three million Federal personnel. As more information is unearthed about the cause and culprit behind this attack, employees may be wondering what can be done to mitigate the risk of identity theft. As unfortunate cyber security incidents like this are becoming more and more prevalent, it is becoming increasingly imperative for businesses and consumers to take every necessary precaution to protect personal information. In an effort to stay ahead of cyber criminals, we have created a list of precautions consumers should take to protect their identity:

  • Practice safe password habits. Do not reuse your password across multiple sites. Develop a password system that helps you remember the unique passwords you develop for each digital account you own. Passwords should be long, should not include any words found in a dictionary and should vary in character type (include special characters, capitalization and punctuation as password systems allow). Be sure to change passwords every six months and use two-factor authentication whenever possible.
  • Be on the lookout for phishing attempts via email, phone and social media. Be wary of unsolicited phone calls and email messages from individuals asking about personal information. If an unknown individual claims to be from a legitimate organization, verify his or her identity directly with the company.
  • Monitor your identity. Use a service to monitor for suspicious activity of your personal information on the black market. Monitoring services will alert you if your personal information is being shared on the dark web.
  • Keep your devices secure. Do not use public Wi-Fi to connect to the Internet. Make sure to keep all devices up-to-date with anti-virus software.
  • Do not share personal information over email. Do not email sensitive information like your home address, social security number or bank account information.
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (example: .com versus .net).
  • Monitor financial account statements. Immediately report any suspicious or unusual activity to financial institutions.
  • Request a free credit report and review for errors and misuse. Consumers are entitled to one free credit report per year from each of the three major credit bureaus: TransUnion, Experian, and Equifax.
  • Place a fraud alert on your credit file. Let creditors know to contact you before opening a new account in your name.

OPM has partnered with CSID to provide identity protection coverage to affected individuals. If you believe you may have been affected by this incident, please visit www.csid.com/opm for more information.

On the Front Lines: Your Guide to the Cybersecurity Workforce, Part III

By | June 4th, 2015|Uncategorized|

We’re happy to share a three-part guest blog series from writer Tricia Hussung on behalf of Russell Sage Online. As formal education becomes integral to the cybersecurity industry, more and more colleges and universities are establishing programs of study focused on digital culture and technological security. Russell Sage Online offers both a Bachelor of Science in Information Technology and Cybersecurity and an undergraduate Cybersecurity Certificate. Here’s more from Tricia on the latest trends in cybersecurity careers.

It may be surprising to learn that, despite their status as some of the most sought-after professionals in the tech sector, cybersecurity experts tend to remain employed at the same organizations for relatively long periods of time. The Semper Secure survey reports that 65 percent of cybersecurity professionals said they have worked at two or fewer organizations throughout their career. Industry insiders agree: Lee Vorthman, CTO of NetApp’s Federal Civilian Agencies unit says that, “These people aren’t jumping from job to job looking for salary bumps and signing bonuses. Many of them want to work for federal agencies and most of them tend to stick with employers for the long term. For companies, that means they better get them early or risk not getting them at all.”

This means that many of those interested in cybersecurity careers are passionate about technology itself, rather than the high salaries and growth potential they can expect upon graduation. As Jum Duffey, secretary of technology at the office of the governor of Virginia, puts it, “For top talent, cybersecurity isn’t about just a job and a paycheck. It is about the hottest technology, deployed by honorable organizations, for a purpose that in inherently important.”

What Makes a Paycheck?
Professionals in cybersecurity earn well above the national average for U.S. workers. In a recent survey by the SANS institute, 49 percent of responders said they earned $100,000 or more per year— mostly for management roles. The largest single group of responders (23 percent) selected the $80,000 to $99,999 range. This group was comprised mostly of engineers and administrators. There was a considerable between the overall average for management ($121,376) and that of non-management categories ($95,149).

Understandably, cybersecurity salaries are higher based on experience. The average professional starts out at around $74,000 per year, while those with 20 years of experience earn more than $123,000 per year. That difference across 20 years amounts to raises of about $2,500 for each year of experience gained. For both managers and non-managers, progressive salary increases can be expected, but management income remains over 20 percent higher than non-management income regardless of experience.

Education is an important factor in determining salary levels. The same SANS report states that those holding bachelor’s degrees and 7 to 10 years of experience earn average incomes of over $100,000. Those with more advanced degrees “achieve this level of pay sooner.” The opposite is also true, with associate-level respondents earning $64,302 and bachelor’s degree holders earning $71,564.

When education and experience are combined, salary is affected further. Those who have been in the industry for over 10 years and hold advanced degrees have a significantly higher salary than their less educated, less experienced peers. As cybercrime threats continue to become more widespread and security becomes more vital, “the need for advanced degrees is predicted to continue to be in high demand,” according to SANS.

While formal education remains a central factor in the employability of cybersecurity professionals, certifications are another leading contribution to successful careers. The SANS survey reports that, in 2008, a majority of hiring managers “felt that certifications were an important (or key) requirement for hiring. And demand for certified experts is only growing, as more and more organizations require specialized skills in incident handling and response, audit and compliance, and firewall/IDS/IPS/SIEM. Currently employed cybersecurity professionals agree with this assessment: 85 percent of survey respondents said that they hold a professional certification such as the Certified Information Systems Professional (CISSP).

Want more information about careers in cybersecurity? Read more at Russell Sage Online.

On the Front Lines: Your Guide to the Cybersecurity Workforce, Part II

By | June 3rd, 2015|Uncategorized|

We’re happy to share a three-part guest blog series from writer Tricia Hussung on behalf of Russell Sage Online. As formal education becomes integral to the cybersecurity industry, more and more colleges and universities are establishing programs of study focused on digital culture and technological security. Russell Sage Online offers both a Bachelor of Science in Information Technology and Cybersecurity and an undergraduate Cybersecurity Certificate. Here’s more from Tricia on the latest trends in cybersecurity careers.

The work environment for cybersecurity professionals is largely dependent on whether an organization is experiencing a security attack. During these times of crisis, workload priorities shift dramatically from a “steady-state operating environment” to a surge capacity. To adjust, cybersecurity professionals need the knowledge and skills to quickly respond to threats as soon as they arise. The ability to quickly and effectively counter security threats is vital, as the stakes are dangerously high. However, during maintenance periods in which no threats are imminent, these individuals must maintain high performance. This means that there is no such thing as an ‘average work day’ for cybersecurity professionals. They must be prepared with a wide range of technical abilities to perform a wide variety of activities while remaining collaborative.

Though it is often considered a subset of information technology, the Institute of Electrical and Electronics Engineers (IEEE) reports that daily cybersecurity work goes beyond the scope of IT. It includes “the analysis of policy, trends and intelligence to better understand how an adversary may think or act — using problem solving skills often compared to those of a detective.” Because of this, the IEEE recommends that prospective cybersecurity professionals be “those who can see themselves in fast-paced environments” with unpredictable working hours. However, one of the advantages of the field is that it is constantly evolving. Professionals in the developing cybersecurity workforce come from different educational backgrounds and are prepared for varying career paths such as those mentioned above.

Salary Information
In general, the salaries for cybersecurity careers are high. The Wall Street Journal reports that the salary for engineers, analysts, architects and other types of trained cybersecurity professionals averaged $101,000 based on advertised information. The same article states that this is “well above” the expected salary for IT professionals, which according to the Bureau of Labor Statistics is $86,000.

Though these broad numbers are certainly encouraging, salary data for specific cybersecurity careers is even more impressive. It is important to note that these salaries are estimated and can vary based on experience and specific skill area.

  • Data security analysts earn anywhere from $89,000 to $121,500 according to Robert Half Technology, a national provider of IT professionals. Modis, a global provider of IT staffing services, reports that analysts at entry-level earn an average of $70,500, while those in supervisory and management roles earn from $93,300 to $110,100.
  • Security administrators have a wider range of earning potential, from $49,400 to $114,500 per year according to Modis. Robert Half categorizes security administrators into two groups: systems security and network security. By their estimate, a systems security administrator can earn $85,250 to $117,750 per year, while network security administrators earn from $85,000 to $116,750 annually.
  • Information systems security managers earn from $103,500 to $143,500 per year according to Robert Half, while Modis projects annual earnings to be from $78,300 to $142,000. These numbers include base pay and incentives.
  • Systems/application security analysts can expect to earn $85,800 per year for base salary, according to Modis. With incentives, this number rises to $89,200.
  • Network security engineers earn anywhere from $89,500 to $116,750 annually according to Robert Half.

Want more information about careers in cybersecurity? Read more at Russell Sage Online.

On the Front Lines: Your Guide to the Cybersecurity Workforce, Part I

By | June 2nd, 2015|Uncategorized|

We’re happy to share a three-part guest blog series from writer Tricia Hussung on behalf of Russell Sage Online. As formal education becomes integral to the cybersecurity industry, more and more colleges and universities are establishing programs of study focused on digital culture and technological security. Russell Sage Online offers both a Bachelor of Science in Information Technology and Cybersecurity and an undergraduate Cybersecurity Certificate. Here’s more from Tricia on the latest trends in cybersecurity careers.

It’s no secret that cybercrime is a serious global issue. More than 1.5 million people a day are victims of cybercrime and the global cost has reached $100 billion. Facing data like this, the federal government has recently ranked cybercrime as a top security threat. In fact, the U.S. Director of National Intelligence pointed to cybercrime as a top security threat, “higher than that of terrorism, espionage and weapons of mass destruction.”

President Barack Obama also noted that “developing effective cybersecurity measures and capabilities is one of the most serious economic and national security challenges we face as a nation.” Recent security breaches affecting Target, Home Depot, JP Morgan Chase and Sony Entertainment brought cybercrime into the mainstream media, but these attacks are nothing new. One recent report identifies inferior skill levels as a contributing factor to this issue, pointing out that “the cybersecurity programs of U.S. organizations do not yet rival the persistence, tactical skills and technological prowess of their potential cyber adversaries.” For these reasons, trained cybersecurity professionals are more in demand than ever before.

Why Cybersecurity?
Qualified cybersecurity professionals are the main defense against cybercrimes, protecting networks and creating secure environments for organizations of all types. As experts, they use highly technical tools and skills to audit systems. These specialized competencies are the reason that businesses hire cybersecurity professionals: they monitor networks for attack traffic and deploy countermeasures to protect sites of all kinds. And, organizations are taking the development of security seriously. In fact, the global cybersecurity market is expected to grow to $120.1 billion by the year 2017.

The demand for cybersecurity professionals is growing at 3.5 times the rate of overall IT jobs and 12 times faster than the job market overall. This growth is a continuation of an ongoing trend; the demand for cybersecurity experts grew 73 percent between 2007 and 2012. Especially in fields like health care, education and public administration, this growth will no doubt continue in the coming years.

The Cybersecurity Workforce
The National Initiative for Cybersecurity Education (NICE) recently partnered with the Federal Chief Information Officer’s Council to develop a workplace assessment for the cybersecurity workforce. A total of 22,956 participants from more than 50 federal departments and agencies completed this assessment, which collected demographic information, pay grade, age range, experience, education and certifications. One important finding of this report is that the majority of participants (78.5 percent) are above the age of 40, while participants aged 30 or younger account for just over five percent.

This disparity in age demonstrates part of why there is such a demand for cybersecurity professionals in today’s workplace — many of the current trained, experienced professionals are approaching retirement age. In addition, participants indicated a strong need for trained specialists in information assurance (IA) compliance, vulnerability assessment and management, and knowledge management. All of these skill areas are part of the modern cybersecurity curriculum for most degree programs.

Want more information about careers in cybersecurity? Read more at Russell Sage Online.

May Recap: ID360 Is a Wrap; Good News for Cybersecurity Higher Ed; S’more Fun at the Office

By | June 1st, 2015|Uncategorized|

Cyber SecurityIn May, we enjoyed participating in the annual ID360 conference and connecting with other attendees around this year’s topic – the “Identity Economy.” Also this month – the UT Center for Identity created a Master of Science degree in Identity Management and Security, CSID execs shared insight on identity management in the era of the Internet of Things, a major IRS breach made headlines, and CSID employees spent some time unwinding and satisfying their sweet tooth.

ID360 Comes to a Close
We were busy in early May ramping up for our sessions at the annual ID360 Conference, put on by our friends at the UT Center for Identity. Each year, the event brings together stakeholders and industry experts from the private sector, government and academia to discuss the latest research and most forward thinking ideas around identity management.

The theme this year was “The Identity Economy,” and our own Joe Ross and Adam Tyler weighed in on the following topics. For a full description of each of the sessions, check out our ID360 Sneak-Peek post.

  • Finding a Cure for Medical Identity Theft
  • Securing Digital Wallets Before Majority Adoption
  • Identity Crimes: Your Money or Your Life?

UT Center for Identity Launches a Cybersecurity University Program
We were excited to see major strides towards strengthening cybersecurity higher-education through the creation of the Master of Science in Identity Management and Security degree from the UT Center for Identity. Interested in learning more about the program requirements and opportunities for career paths? Take a look at the course overview.

CSID Execs Weigh In on Cybersecurity Topics
CSID’s Managing Director of Europe, Andrew Thomas, shared insight into how to mitigate risk in the hyper connected age of the Internet of Things. Check out his articles with Information Age and IT Security Guru.

IRS Breach Changes the Way Businesses and Consumers Think About PII
Last month’s major IRS breach, attributed to a syndicate in Russia, made headlines. Hackers successfully exploited 104,000 individuals and filed nearly $50 million in fraudulent tax funds. Be sure to check out our recap of the news.

Having S’More Fun at the Office
We took a small break to unwind – and indulge our sweet tooth – with some s’mores-making at the office mid-month. It was a great chance to mix and mingle and see who brought the best s’mores skills.

Check out what else we were up to in May on Facebook, Twitter and LinkedIn!

IRS Breach Shows What Happens to PII After it is Sold on the Black Market

By | May 29th, 2015|Breach, Uncategorized|

IRS BreachThe IRS experienced a breach that is changing the way businesses and consumers think about personal information. Reporters attribute the IRS breach to a crime syndicate in Russia, who used personal information obtained elsewhere to exploit the Get Transcript feature on the IRS website. They successfully exploited 104,000 individuals and filed nearly $50 million in fraudulent tax funds.

“This breach is not just about what this single group is going to do with the information, but what happens when this information gets sold on the black market,” said cybersecurity author Peter Warren Singer to The New York Times. “It’s rare for the actual attackers to turn the information directly into money. They’re stealing the data and selling it off to other people.”

As Singer points out, this breach demonstrates how cyber criminals can take stolen data and exploit an online system to pick the pockets of thousands of consumers. Major data breaches thus far have proven that cyber criminals have the know-how to exploit major retailers’ security systems; this breach proves these criminals have more sophisticated schemes in their back pocket to cash in on the information they’ve stolen without having to find a vulnerability in an organization’s security system.

This is costly to businesses as it highlights the limited control they have on security breaches. Maintaining a healthy, secure system helps businesses avoid data breaches, but cyber criminals are working around secure systems by taking advantage of customers’ personal information. Gizmodo reporter Kate Knibbs calls this a “domino effect.” The way it works is that cyber criminals hack into a business’ system and steal customer data. Using that customer data, which includes name, address, email credentials and Social Security number, cyber criminals can log in to another business to make purchases or otherwise financially exploit a business. The result? A business is hijacked without its security system ever being hacked into. Cyber criminals are finding these workarounds, making their schemes more sophisticated and harder to identify from the outside.

So what exactly can we do to mitigate the risk of these types of breaches? Businesses and consumers must develop better habits and methods to protect their identities online. Password reuse is one of the most damaging habits of consumers. In fact, six out of 10 admit to reusing passwords across multiple sites. Convenience typically wins over security when it comes to interacting online. Businesses must innovate convenient options for consumers to better protect their digital identities. In the meantime, monitoring customer and employee credentials is a business’ best bet for protecting their assets.

How does this breach affect the way businesses handle security? How can businesses and consumers prioritize security over convenience when it comes to protecting digital identities? Let us know what you think on Facebook, Twitter and LinkedIn.

Healthcare Data Breaches Have Grown 125 Percent in Five Years

By | May 26th, 2015|Breach, Uncategorized|

Healthcare BreachThere has been a noticeable uptick in the number of criminal attacks against healthcare facilities in the last five years. Ponemon recently released its Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, which shared a 125 percent increase in cyber attacks targeting healthcare data. The major shift in healthcare data breaches, according to the study, is that cyber criminals are intentionally targeting and exploiting healthcare data rather than accidentally coming across it during their exploits.

This shift in active pursuit of healthcare data shows that cyber criminals understand the value of healthcare data on the black market. Through our recent research, we have found that a medical identity, which includes a name, address, Social Security and health ID numbers, sells for $50 on the black market. A Social Security number sells for $1 and an active credit card sells for $3. A major contributing factor to the increase in healthcare breaches may also be due to the shift to digital healthcare records. Starting this year, healthcare facilities that do not show “meaningful use” of electronic health records are penalized, causing facilities to scramble to put records online.

The healthcare industry is a green market when it comes to following best security practices, which is why we’ve put together the top three ways healthcare organizations can keep their patient records secure:

  1. Educate employees. The most important part of having a secure network is making sure your employees are compliant with security standards. Educate employees on how medical identity theft happens and what to do from a HIPAA standpoint to keep patient data safe.
  1. Track, encrypt and password-protect mobile devices. Employees are connected via mobile devices more than ever, whether or not you have a formal BYOD policy. Be sure to create a policy that puts strict limits on how patient data can be viewed and shared on devices.
  1. Create an identity crisis response plan. If your healthcare data is breached, make sure to have a crisis plan in place, including communication with patients. Maintain the plan by training staff on relevant policies and procedures.

Are you surprised by the value of medical identities on the black market? How else can the healthcare industry get up to speed on best security practices? Let us know what you think on Facebook, Twitter and LinkedIn.

Digital Wallets in the Crosshairs

By | May 15th, 2015|Uncategorized|

Digital WalletsDigital wallets have been a hot topic for us lately. Their use is growing and like all things when it comes to cyber security, online criminals always follow the money. Kaspersky Labs said it best:

“Enthusiasm over this new payment platform (Apple Pay) is going to drive adoption through the roof and that inevitably attracts many cyber criminals looking to reap the rewards of these transactions.”

This “follow the money” mentality was exhibited this week after news came to light of a brute force attack against individual Starbucks mobile wallet accounts. Thieves have been taking advantage of two things to hack in to Starbucks app accounts: consumers’ bad password habits and the ability to try different passwords on the Starbucks app without being locked out. Thieves have been purchasing email addresses and passwords on the underground black market and then using programs to try out these passwords on high-value sites like the Starbucks app. These programs can try hundreds of login combinations in a matter of seconds, and they only need one consumer that has reused credentials to cash in.

We saw a similar process happen to Jomoco – a fictitious small business we created to see just how quickly a small business can be brought down by hackers. Fictional Jomoco employee, Rachel, was guilty of reusing email addresses and passwords across multiple accounts. When we leaked her email address and password for her personal email account on the online black market one of the first things the hackers did was try it out on other sites. They quickly discovered that they could also access her business email account, which happened to host sensitive business information. Long story short, Jomoco was compromised in every way possible in less than an hour – all because Rachel reused passwords. You can read more about Jomoco on our website.

If you use a mobile wallet – whether it’s the Starbucks app or Apple Pay – always use a unique, secure password and turn on two-factor authentication if it is offered. Similar to how we saw a rise in POS breaches in 2013 and 2014, we fully expect to see a growing number of incidents and breaches involving mobile wallets in 2015, especially as consumers and businesses continue to figure out best security practices for this new technology.

Are you hesitant to use digital wallets? How do you combat reusing passwords across multiple sites? Let us know what you think on Facebook, Twitter and LinkedIn!

Cyber Criminals Shut Down an SMB in One Hour

By | May 11th, 2015|Uncategorized|

JomocoThere’s a huge misconception among small businesses that cyber criminals are only interested in stealing data from big names like Target, Home Depot and Neiman Marcus. This misleading mindset may cause a small business (SMB) to inadequately invest in security measures and improperly enforce security policies at work. In fact, only 2 in 5 SMBs have a social media policy in place and only 2 in 10 SMBs plan to increase security spending this year. The truth of the matter is that cyber criminals are looking for the path of least resistance that will get them the most information as fast as possible.

With the growth of startup culture across the nation, we decided to test just how easy it is for cyber criminals to infiltrate a budding business. Thanks to the ingenuity of the sales and marketing team and some dark web help from our cyber team, Jomoco was brought to life. Jomoco is a fictitious coconut water company with a groovy coconut mascot and two fabricated employee personas. We set up Jomoco like any other startup would – with a company website, server, employee personal and work email addresses, a credit card and some employee social media accounts. CSID also ensured that Jomoco’s fictional employees made common mistakes when protecting their professional and personal data online, including sharing sensitive information via email and reusing passwords across multiple sites. The real cyber criminals took it from there.

Within one hour, Jomoco was taken over by cyber criminals. The website was defaced, the credit card had been used and employees were locked out of work emails and social media sites.

Interested in finding out how cyber criminals took down this business so fast? Download our case study to get the complete story, including pictures of the defaced website and the dark web forums where Jomoco’s credit card information was shared. If you’re an SMB looking to better protect your data, here are tips from the National Cyber Security Alliance on how to make your business more secure.

How can SMBs better protect their assets? What are some ways employees can protect business data? Please share your thoughts with us on Facebook, Twitter and LinkedIn! We’d love to hear what you have to say.

Load More Posts